1. September 2013 The RMA Journal28
OPERATIONALRISK
September 2013 The RMA Journal28
2. September 2013 The RMA Journal 29
Here are six steps to ensuring that your firm’s
approach to policy management is improving risk
mitigation while meeting stakeholder needs.
by Greg Montana, Daniel Paula, and Jane Krecicki
iStockphoto/Thinkstock
Since the financial crisis of 2007-09, much has been written about the importance
of a strong risk management function capable of challenging front-line business units
within financial services firms. Since the crisis, many of these firms have focused on
expanding and improving their internal risk management functions, and many have
made significant progress.
Risk management is in the spotlight, as indicated by U.S. Comptroller of the Currency
Thomas Curry, who stated that operational risk is now the most important determinant
of a financial institution’s robustness and stability, replacing credit risk as the major safety
and soundness challenge for national banks.1
It is axiomatic that enterprise policy management should be a vital part of an effective
risk management program, and there is strong evidence that banks and other financial
institutions have focused on this aspect in efforts to improve their risk programs. Nonethe-
less, for policy management to have a sustainable impact, risk managers should follow
a set of leading practices and make sure to give those practices ongoing attention and
maintenance.
This article will discuss the art of risk mitigation through sustainable policy management
practices. It will identify key stakeholders and their interests and propose leading practices
for the financial services industry as it deals with the aftermath of the financial crisis.
Six Leading Practices in Policy Management
A properly structured policy management program adds value to all stakeholders of a
Importance
Sustainable Policy Management
in Delivering an
Effective Risk Program
The
of
3. September 2013 The RMA Journal30
financial services firm. These include internal stakeholders,
such as employees, executive management, and the board, as
well as external stakeholders, such as clients, auditors, and
regulators. Employees want clear, easy-to-understand, and
accessible policy documentation so they will know what is
expected from them. Executive management and the board
are interested in how well strategies and goals are being car-
ried out through codified expectations in well-written cor-
porate policies. Internal auditors and government regulators
are interested in measuring policy adherence and in ensuring
that policies meet regulatory and industry standards. Clients
rightfully expect their financial institutions and vendors to
have policies that protect their assets and sensitive data.
Meeting all these expectations is at the heart of a strong
enterprise policy management program. Based on experience
in developing and leading policy management programs,
the authors have observed these leading practices:
1Establish a policy office and define clear roles and
responsibilities for the policy management process.
Creating a policy office in effect creates a central function
with clear authority for administrating the policy manage-
ment program. The policy office should then define the
roles and responsibilities for all other participants in the
policy management program. Policy owners (or stewards)
with the correct subject-matter expertise should be assigned
to all policies and given accountability for authoring and
maintaining them. Oversight and governance of the policy
management framework should be centralized within the
policy office to ensure that policy owners across the orga-
nization are performing consistently. Responsibilities for
compliance, implementation of policy requirements, and
employee training should also be clearly articulated. Execu-
tive management should not only be informed of all new
policies, but be required to approve major policy changes
as well as new material policies. The policy-approval pro-
cess should be crystal clear. Any policy exceptions ought
to be individually approved and monitored. Finally, the
list of policy owners (or stewards) should be kept current.
All changes should be formally approved on a regularly
scheduled basis.
2Spend time on semantics because it matters.
A consistent taxonomy is also a fundamental part of
solving the policy management puzzle. A clear and concise
working definition of a “policy,” a “standard,” a “procedure,”
or a “guideline” should be documented and disseminated
throughout the organization. Organizations should also
consider developing training targeted at policy owners to
ensure that corporate policy writing and maintenance ac-
tivities are executed consistently. An organization’s central
policy management team is perfectly positioned to work with
policy owners to ensure that every policy meets consistent
criteria.
3Centralize policy documentation
and make it easy to find.
Centralizing policies and making them easily acces-
sible to employees are keys to sustaining a successful policy
management program. Policies should not be dispersed but
rather consolidated, maintained, and managed, ideally by
using technological solutions to automate workflow and
document management activities that ensure positive control
over the content. Organizations should keep their policy
inventory in a centralized location, subject to strong version
control, functioning as the one-stop shop for all corpo-
rate policy needs. This construct is helpful in avoiding
the proliferation of user-defined intranet portals, which are
outside the oversight of the central policy governance team.
Automated tools can be used to configure search parameters
and render policy documents to avoid confusion, simplify
the user experience, and keep the content current.
4Measure to manage the program.
With one central repository, metrics and reporting can
be used to manage the quality and accuracy of the policy
inventory. A simple yet helpful risk indicator is the percent-
age of policy documents with past-due reviews, which measures
Details/Depth
BroaderImplications
Policy
What?
Standard
How?
Guideline
Best Practices
4. September 2013 The RMA Journal 31
the quality of the policy inventory. It can also
be used as a forward-looking (predictive) in-
dicator of poor compliance or audit ratings.
The higher the percentage, the more likely
your policy documentation is outdated and
the less likely your business standards and
employee practices are reflecting your policy.
In a nutshell: Policies cannot afford to be out-
dated. They must be reviewed and updated
on a regular basis. The frequency of policy
review and updating should be based on a
simple, risk-based approach. Policies intended
to cover the highest-risk practices should be
reviewed and updated at least annually. The
speed with which the regulatory landscape
changes demands nothing less. In addition,
policy management reporting should be incor-
porated into overall governance routines such
as line of business or corporate operational
risk committees to give visibility on all policy
activity as well as risk indicator levels.
5Train, train, train.
Well-defined policy awareness training should be part
of every company’s new-hire orientation program, covering
at least the most important corporate policies. In addition,
on an annual basis, a thematic analysis of recurring issues
and control breakdowns should be performed to reveal any
potential policy gaps and to yield insights into which policies
might need to be disseminated to employees. More often
than not, behind every control breakdown is a human being
who did not make the right call at the right time. While
human error cannot be completely avoided, adequate policy
awareness training can be an effective mitigation strategy.
The highly regulated airline industry, with its focus on rig-
orous and ongoing safety training to ensure all employees
are aware of policies and requirements, provides a good
example for the financial services industry. When it comes to
increasing employee awareness, the best practice is to have
a single policy system that allows employees to see all of the
policies that apply to their specific roles in the organization
and to receive an automated notification of new or revised
policies.
6Sign, attest, acknowledge, and track.
Attestation and acknowledgment must be integral parts
of policy management. Even putting the most sophisticated
policies in place is not enough. Organizations must also be
able to attest to the training they provide, as well as certify
that their employees understand and agree to comply with
corporate policies.
Conclusion
Heightened regulatory expectations and ongoing change in
the financial services industry demand a more disciplined
approach to managing corporate policies. This article pre-
sented six policy management practices designed to improve
risk mitigation while addressing what can often be complex
stakeholder needs.
Whether you are managing operational risk at a com-
munity bank, a regional institution, a technology services
provider, or a large bank, the challenges are similar. A
consistent and structured enterprise policy management
program is more than just collecting important documents
and providing them when requested. It is about creating a
lever that can be pulled to help reduce risk exposure, while
enabling employees to understand their roles and perform
their jobs more efficiently and effectively. v
••
Greg Montana is executive vice president and CRO at FIS. He can be reached at
greg.montana@fisglobal.com. Daniel Paula is senior vice president, risk management
executive, and head of enterprise risk governance and policy at FIS. He can be reached
at daniel.paula@fisglobal.com. Jane Krecicki, risk manager, leads the enterprise policy
management program at FIS. She can be reached at Jane.Krecicki@FISGlobal.com.
Notes
1 “‘An Extraordinary Thing’: OCC’s Curry Sees Operational Risk as
Top Concern,” American Banker, May 16, 2012.
Define and
Communicate
Boundaries and
Expectations
Communicate
Expected Behavior
Drive Compliance
Enforcement and
Guide Desired Behavior
Establish Governance
and Accountability
Framework
Protect the Organization
Achieve Business
Outcomes
Policy
Development and
Approval
Communicate,
Train and
Acknowledge
Implement and
Enforce
Policy
Measurement and
Evaluation
Policy Management
Lifecycle